← All articles

Megalodon GitHub Actions attack scans 5,561 repos for CI/CD secrets; polymarketdev publishes nine wallet-stealer npm packages

SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.

Check
Search GitHub Actions audit logs for unfamiliar workflow files added via pull requests since May 21. Search npm install logs for any polymarket-* package.
Affected
5,561 GitHub repositories specifically targeted by Megalodon malicious pull requests. Any Ethereum or Polygon developer who installed polymarket-* npm packages exposed wallet keys.
Fix
Restrict workflows triggered by pull_request_target. Pin GitHub Actions to full commit SHAs not tags. Treat any system that ran polymarket-* packages as compromised; rotate wallet keys immediately.